1.5.10 tag problem of security #565
Comments
|
How is this a security problem ? |
|
The 1.5.10 tag has been changed, the checksum has been modified too. You can see: |
|
@Neustradamus said:
Can you give us some more information on why this should never be done. May I also ask you to link to other references saying this is a no-go. Sure you are right changing an official release tag is not a great thing to do. But there were good reasons I think. Running the installer from the earlier tagged as 1.5.10 (65fe719) source with the location plugin enabled would inevitably break the web UI access. This is a direct result of too few people being involved in FOG development and namely testing before a release and me trying to get 1.5.10 out with not enough time on my hands to do all the testing on a very long and busy FOG weekend. Not complaining, just saying how I see it.
I don't see the reasons for that yet and I am not going to change it back unless you are going to handle all support cases in the forums and on Github related to issues with installing the earlier tagged as 1.5.10 (65fe719) source!! As I said, this would be anyone who has the location plugin enabled.
We thought about that too. But it would still leave a gap for people to fall into when using 1.5.10 just because they have not heard there is a show stopping bug in there.
Yes and as well we have updated all the release information right at that same moment:
Well, we do publish checksums on the website and have done so for a long time - see https://fogproject.org/download |
|
@Sebastian-Roth: An example for verification: buildroot/buildroot@8ac75a9 For example, you can see here: https://fossies.org/linux/misc/fogproject-1.5.10.tar.gz/ The solution is to have the good original 1.5.10 tag and to create a new tag "1.5.10.x" or "1.5.11". |
|
@FOGProject, @Sebastian-Roth and others, Have you looked to solve this problem? Put the original tag and create a new tag with a new version... In the 1.5.10 announcement, please add a link to the new announcement version with explanation that it is important to install the new build. |
|
I'm still unclear as to how this creates a security issue. |
|
If it is, we may want to just delete the 1.5.10 release and just release a 1.5.11 or make 1.5.10.4 the main release? |
|
The security problem is here because there are two different 1.5.10 builds in time: One from 5 March and a second from 31 March. It is not possible to have the 1.5.10 original tag and create a new tag with 1.5.10.x/1.5.11? If one people install the original 1.5.10, it is possible to update 1.5.10.x or 1.5.11 no? |
While hash systems are used for verification and in some cases for security goals, there is no security concerns related to github tags with a different hash. The hash, in fact, is there specifically so it can still update even if the tag or release is otherwise identical. Other systems (such as composer) also do this. While it's certainly a convention to release minor patch versions for bugfixes, it's by no means a hard rule. I would only argue in favor of it for virtue of making it easier to help people if they run into problems with their version. (but then again, the first thing they're likely to try is to look for an update which would make that point invalid anyway...) |
|
@FOGProject team, @Sebastian-Roth: Have you progressed on this problem? |
|
@Neustradamus I still don't see how we can progress on this topic as I don't see this as a (security) problem you are pointing out - along with the comments from other people. The one example you mentioned (https://fossies.org/linux/misc/fogproject-1.5.10.tar.gz/) is really out of our scope. Maybe we can get in contact (https://fossies.org/comments.html) to inform them about updating as well but that's about it. Edit: I just sent out an email to fossies.org |
|
So https://fossies.org/linux/misc/fogproject-1.5.10.tar.gz/ is updated now thanks to Jens! I am going to close this topic now. If there are still other archives with the old information (checksum, ...) you are free to contact those people or let us know. |
@Sebastian-Roth: There is a problem of security, 1.5.10 tag has been changed, never do it!
You need to replace the current 1.5.10 tag by the original tag.
And create a new tag for 1.5.10.4.
5 March 2023, 1.5.10 must be: 65fe719
31 March 2023, 1.5.10.4 must be: 3eaa83b
If there is a problem with 1.5.10.x, you must to create a 1.5.11.
Thanks in advance.
The text was updated successfully, but these errors were encountered: